Over the last two days the folks at DHS ICS-CERT have published advisories on two different Siemens Systems; on Thursday one for Siemens Process Suite, and today one for Siemens Automation License Manager. The first involves an ‘out-of-date’ Siemens’ acquired product, but it also affects newer Wonderware InTouch systems. The second affects a wide range of Siemens producs.
This poorly encrypted password file vulnerability was reported by Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin. A relatively low skilled attacker with read-only access to the system could obtain login information, including passwords, from an unencrypted .INI file and subsequently log onto the system with administrator privileges.
The affected Siemens systems are no longer supported and Siemens strongly recommends upgrading to a more recent HMI. The Wonderware situation is not so clear from the Advisory. Early in the document (page 1) ICS-CERT notes that Wonderware InTouch 2012 R2 and previous versions are affected. Later (page 3) it notes that Invensys “recommends using Windows integrated security features or migrating the HMI and OS to versions currently supported and then install their security update”.
Of course earlier (page 1) ICS-CERT notes that Invensys “recommends using Windows integrated security rather than the InTouch security subsystem but has created a new patch to mitigate this vulnerability”, only there is no patch for this vulnerability listed on the Invensys Cyber Security Updates page. Oh well, it’s been a long week and I may be confused easily.
Automation License Manager Vulnerability
It appears that the uncontrolled resource consumption vulnerability reported in the second advisory was self-reported by Siemens; at least no researchers were named in either the ICS-CERT advisory or the Siemens ProductCert advisory. All Siemens’ products using the vulnerable versions of ALM are affected.
Siemens notes that specially crafted packets sent to TCP Port 4410 can cause data leakage that can enable a denial of service attack. The Siemens’ advisory that the Windows firewall should be configured to enable access to this port only on the local subnet which should mean that an attacker would have to have access to that subnet. If firewall is not properly configured this would certainly be a remotely exploitable vulnerability.
Siemens does provide an updated version of ALM that addresses this vulnerability.